CVE-2026-22810

EUVD-2026-30806

18.05.2026, 21:16

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-24 - Path Traversal: '../filedir'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

Vulnerability Media Exposure

[GERMAN] Joplin: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Joplin ausnutzen, um einen Denial of Service Angriff durchzuführen, vertrauliche Informationen offenzulegen oder beliebige Dateien zu überschreiben, was möglicherweise zur Ausführung von beliebigem Code führt.
Published: 2026-05-17T22:00:00+00:00

References

https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16

https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c

https://github.com/laurent22/joplin/pull/13736

https://github.com/laurent22/joplin/releases/tag/v3.5.7

https://github.com/laurent22/joplin/security/advisories/GHSA-gcmj-c9gg-9vh6